Last edit: 29/06/2023
A new Essential Health and Safety Requirement was added to deal with the issue that the safety of a Machinery might be affected by IT security attacks related to the direct or remote access to a safety-related control system by persons for intentional abuse (unintended uses).
The aim is not that the machinery is so well protected that a breach into its control system is impossible. The aim is that:
- The machine is adequately protected against attacks that have an impact on its EHSR
- In case of a breach, the machine detects it.
- The software and the data used by the control system that have an impact on the machinery EHSR is first of all identified and than adequately protected
[MPR: 2023 text] 1.1.9. Protection against corruption
The machinery or related product shall be designed and constructed so that the connection to it of another device, via any feature of the connected device itself or via any remote device that communicates with the machinery or related product does not lead to a hazardous situation.
A hardware component transmitting signal or data, relevant for connection or access to software that is critical for the compliance of the machinery or related product with the relevant essential health and safety requirements shall be designed so that it is adequately protected against accidental or intentional corruption. The machinery or related product shall collect evidence of a legitimate or illegitimate intervention in that hardware component, when relevant for connection or access to software that is critical for the compliance of the machinery or related product.
Software and data that are critical for the compliance of the machinery or related product with the relevant essential health and safety requirements shall be identified as such and shall be adequately protected against accidental or intentional corruption.
The machinery or related product shall identify the software installed on it that is necessary for it to operate safely, and shall be able to provide that information at all times in an easily accessible form.
Different standards deal with IT Security issues:
- IEC/TS 62443 series: Industrial communication networks – Network and system security
- IEC/TR 63074: 2023 Safety of machinery – Security aspects related to functional safety of safety-related control systems.
- ISO/TR 22053: Safety of machinery — Safeguarding supportive system
- ISO/TR 22100-4: 2018 – Safety of machinery — Relationship with ISO 12100 — Part 4: Guidance to machinery manufacturers for consideration of related IT-security (cyber security) aspects.
None of those standards is harmonised to the Machinery Directive nor will be harmonised to the Machinery Regulation. A working group was started in May 2023 with the assignment of writing an IEC standard, to be eventually harmonised to the Machinery Regualtion.